Bypassing SOP and shouting hello before you cross the pond

“Don’t shout hello before you cross the pond” is a Swedish saying meaning you shouldn’t celebrate until you are absolutely certain. Yesterday I did just that after finding a partial SOP bypass.

It started with me noticing that you could access malformed hostnames in Firefox (on OSX), the URL “http://example.com..” would load example.com and send “example.com..” in the Host header. I then tried adding characters after the leading dots, and “http://example.com..evil.com” also worked.

Instantly I knew this meant SOP could be bypassed, because Flash would treat “http://example.com..evil.com” as under “*.evil.com” while Firefox would treat it as under “example.com”. This meant that we could bypass SOP for any site containing a crossdomain.xml file allowing “*.somedoma.in”.

At this point I checked Alexa top 10000 and confirmed 7% was exploitable. I made a PoC for yahoo.com:

Aftermath of going to http://sds.ekil.dog..yahoo.com/loader.swf?url=https://www.yahoo.com&method=GET&callback=url

To make sure the bug wasn’t only on my machine I asked a co-worker to try it out in his VM. Yep, that worked. Finally, I updated Firefox to the newest version and the bug was still there. In my excitement I hinted on twitter about what I’ve found and started planning disclosure and writeup. Bug = Verified, right?

Not so fast. The mistake was that I didn’t update the OS to the newest version. Later when I did, the bug was dead. After some digging I came to the conclusion that it was fixed when CVE-2015-3755 was patched (6 months ago).

CVE-2015-3755 was reported as an URL spoofing bug by xisigr, and his writeup can be found at https://xisigr.com/x/cve-2015-3755/. Updating to OSX Yosemite 10.0.5 or OSX El Capitan will fix this bug.